[Battlemesh] Routing Tables of Death
dave.taht at gmail.com
Tue Mar 7 22:56:11 CET 2017
On Tue, Mar 7, 2017 at 1:29 PM, Pau <pau at dabax.net> wrote:
> Would be interesting to see if bmx7 (with security extensions ) is
> able to minimize the impact of such kind of attack. Of course the
> network flooding will still be a problem but if the routing protocol can
> survive to it the attack impact would reduce drastically.
>  http://bmx6.net/documents/30
My principal observation on this front at the moment is that routers tend
to bottleneck on serving packets, and starve userspace daemons under
loads like that.
More testing is needed in these circumstances. I was using the flent
tools to stress the forwarding path, and observing many anomalies on
routing behaviors, of late. Here for example is what happened to me
with 10k routes on an apu2, which as a quad core x86_64, is fully
capable of forwarding well over a gbit/sec - but as the routing daemon
ate more than a core and couldn't keep up, it would lose connectivity
I've seen the same things happen at smaller scales on weaker boxes
(I'd been saying for years that many routing problems were congestive
in nature, but had not got around to reliably simulating it til this
past month, figuring that with fq_codel and ATF, many would go away.
They didn't - because we haven't fixed wifi multicast yet).
I was also recently doing myself in with some bad interactions between
odhcpd, network-manager, and babeld in multiple circumstances.
There's a ton of mostly crappy work to try and handle error handling
better, as well as deal with cpu overload and network bufferbloat
better going on in my rabeld repo that I'm in the process of
organizing and cleaning up. Don't look there. It's a mess, currently,
with only 6 or so good ideas out of 200+ commits.....
As for bmx7:
Adding userspace crypto into the mix may make things worse, rather
than better, and perhaps punting more of the work to the kernel, and
adopting a more hard RT perspective in multiple daemons to getting out
vital packets like hellos and ihus while doing other processing, will
BPF is hairy, but it's got much easier of late with the availability
of an llvm compiler. It's a write-once sort of language.
More information about the Battlemesh